[SOGo] SAML Vulnerability
Dear Community Member, With the recent vulnerability found in the Lasso library (CVE-2021-28091), which SOGo uses to do SAML-based authentication, we urge you to either disable SAML authentication or temporarily disable the SOGo service until updated packages are available for your operating system of choice and until we release SOGo v5.1.1 and v2.4.1. SOGo has its own vulnerability regarding the Lasso usage (CVE-2021-33054) and we will provide updated SOGo packages in about two hours to fix this. If you are NOT using SAML authentication, you are not affected by this bug nor you need to upgrade. In order to have the full fix for these issues, you must update the Lasso to v2.7.0 or later and update the SOGo packages. You should also invalidate all current user sessions (https://www.sogo.nu/support/faq/how-to-invalidate-all-users-sessions.html#/faq). If you need further assistance on this issue, please use the mailing list. Thanks, The Inverse team smime.p7s Description: S/MIME cryptographic signature
[SOGo] ANN: SOGo v5.1.1 released!
Minor release, but many bug fixes. Download it now!NEW RELEASEANNOUNCEMENTSOGo v5.1.1The Inverse Team is pleased to announce the immediate availability of SOGo version 5.1.1.This is a minor release of SOGo which focuses on improved stability over previous versions.—Enhancementscore: cache the schema of LDAP user sources (d0056d3)Bug Fixesaddressbook: import contact lists from LDIF file (e1d8d70), closes #3260calendar(css): enlarge categories color stripes (bd80b6e), closes #5301calendar(css): enlarge categories color stripes (e5d9571), closes #5301calendar(js): fix URL for snoozing alarms (d4a0b25), closes #5324calendar(js): show conflict error inside appointment editor (fec299f)core: avoid appending an empty domain to uid in cache (debcbd1)core: change password in user's matching source only (da36608)core: decompose LDAP nested groups, cache logins (a83b0d8)core: don't bind a DN to LDAP sources with a different search base (e0b6e22)css: adjust colors of center lists of views (045879a), closes #5291mail: handle folders that end with a question mark (657f00f), closes #5303mail: retrieve IMAP delimiter after LIST command (189aab3)mail: use default signature when forcing default identity (dc81f70)mail(css): improve HTML sanitization of background attribute (72321ec)mail(html): add missing ARIA labels (66afbd2)mail(js): add CKEditor plugin pastefromgdocs (517b888), closes #5316mail(js): add debouncing on keyup events of sgAutogrow (d303247)mail(js): add tooltip with email of attendees in invitation (af61752)mail(js): avoid updating the DOM before closing editor (bed91ce)mail(js): don't delay the progress indicator when loading mailbox (049c17f), closes #5278mail(js): unselect all messages when changing mailbox (bfbf43b), closes #4970 #5148saml: don't ignore the signature of messages (e536365)saml: fix profile initialization, improve error handling (1d88d36), closes #5153 #5270web: allow to change expired password from login page (bdd8e35)web: allow to change expired password from login page (8e98af0)web: restore support of ppolicy OpenLDAP overlay (0c1f9fd)web(js): don't cache users results in ACL editor (4501b5e)Localizationfr: update French translation (7bebc71)sk: update Slovak translation (376c473)See the closed tickets for this release and the complete change log.DownloadUpgrade Instructions →What is SOGoSOGo is a free and modern scalable groupware server. It offers shared calendars, address books and emails through your favorite Web browser or by using a native client such as Mozilla Thunderbird and Lightning, Apple Calendar and Address Book (Mac OS X and iOS) and Microsoft Outlook.SOGo is standard-compliant and supports CalDAV, CardDAV and reuses existing IMAP, SMTP and database servers - making the solution easy to deploy and interoperable with many applications.SOGo features:Scalable architecture suitable for deployments from dozen to many thousand usersRich, responsible Web-based interface aligned with Google Material Design guidelinesImproved integration with Mozilla Thunderbird and Lightning by using the SOGo Connector and the SOGo IntegratorTwo-way synchronization support with any Microsoft ActiveSync-capable device (Apple iOS, Android, Windows Phone, BlackBerry 10) or Outlook 2013/2016Excellent native integration with Apple software (OS X and iOS) and Android-based devicesand many more! SOGo and our connectors are completely free.Try OnlineAvailable accounts: sogo1, sogo2 and sogo3.Their password is the same as their username.HelpingSOGo is a collaborative effort in order to create the best Free and Open Source groupware solution.There are multiple ways you can contribute to the project:Documentation reviews, enhancements and translationsWrite test cases - if you know Python, join in!Feature requests or by sharing your ideasParticipate to the discussion in mailing listsPatches for bugs or enhancementsProvide new translationsFeel free to send us your questions. You can also post them to the SOGo mailing list.Getting SupportFor any questions, do not hesitate to contact us by writing to supp...@sogo.nuCustomer support packages for SOGo are also available.
[SOGo] ANN: SOGo v2.4.1 released!
Minor release, but many bug fixes. Download it now!NEW RELEASEANNOUNCEMENTSOGo v2.4.1The Inverse Team is pleased to announce the immediate availability of SOGo version 2.4.1.This is a minor release of SOGo which focuses on improved stability over previous versions.—Bug Fixesaddressbook(js): handle multi-values organization field (c_o) (69b86d3), closes #5312mail: avoid exception on recent GNUstep when no filename is defined (a2ef542)saml: don't ignore the signature of messages (c0e6090)saml: fix profile initialization, improve error handling (3d1b365), closes #5153 #5270See the closed tickets for this release and the complete change log.DownloadUpgrade Instructions →What is SOGoSOGo is a free and modern scalable groupware server. It offers shared calendars, address books and emails through your favorite Web browser or by using a native client such as Mozilla Thunderbird and Lightning, Apple Calendar and Address Book (Mac OS X and iOS) and Microsoft Outlook.SOGo is standard-compliant and supports CalDAV, CardDAV and reuses existing IMAP, SMTP and database servers - making the solution easy to deploy and interoperable with many applications.SOGo features:Scalable architecture suitable for deployments from dozen to many thousand usersRich, responsible Web-based interface aligned with Google Material Design guidelinesImproved integration with Mozilla Thunderbird and Lightning by using the SOGo Connector and the SOGo IntegratorTwo-way synchronization support with any Microsoft ActiveSync-capable device (Apple iOS, Android, Windows Phone, BlackBerry 10) or Outlook 2013/2016Excellent native integration with Apple software (OS X and iOS) and Android-based devicesand many more! SOGo and our connectors are completely free.Try OnlineAvailable accounts: sogo1, sogo2 and sogo3.Their password is the same as their username.HelpingSOGo is a collaborative effort in order to create the best Free and Open Source groupware solution.There are multiple ways you can contribute to the project:Documentation reviews, enhancements and translationsWrite test cases - if you know Python, join in!Feature requests or by sharing your ideasParticipate to the discussion in mailing listsPatches for bugs or enhancementsProvide new translationsFeel free to send us your questions. You can also post them to the SOGo mailing list.Getting SupportFor any questions, do not hesitate to contact us by writing to supp...@sogo.nuCustomer support packages for SOGo are also available.
Re: [SOGo] SAML Vulnerability
Hi Packages for releases v5.1.1 and v2.4.1 are now available, as well as new nightly builds. Don't forget to also update lasso if you use SAML2 authentication. Thanks, Francis > On Jun 1, 2021, at 08:45, Francis Lachapelle wrote: > > Dear Community Member, > > With the recent vulnerability found in the Lasso library (CVE-2021-28091), > which SOGo uses to do SAML-based authentication, we urge you to either > disable SAML authentication or temporarily disable the SOGo service until > updated packages are available for your operating system of choice and until > we release SOGo v5.1.1 and v2.4.1. > > SOGo has its own vulnerability regarding the Lasso usage (CVE-2021-33054) and > we will provide updated SOGo packages in about two hours to fix this. > > If you are NOT using SAML authentication, you are not affected by this bug > nor you need to upgrade. > > In order to have the full fix for these issues, you must update the Lasso to > v2.7.0 or later and update the SOGo packages. You should also invalidate all > current user sessions > (https://www.sogo.nu/support/faq/how-to-invalidate-all-users-sessions.html#/faq). > > If you need further assistance on this issue, please use the mailing list. > > Thanks, > > The Inverse team smime.p7s Description: S/MIME cryptographic signature
[SOGo] BTS activities for Tuesday, June 01 2021
Title: BTS activities for Tuesday, June 01 2021 BTS Activities Home page: https://sogo.nu/bugs Project: SOGo For the period covering: Tuesday, June 01 2021 idlast updatestatus (resolution)categorysummary 5331 2021-06-01 01:12:11 updated (open) Web Calendar Free/Busy Funktion funktioniert nicht in Outlook 2019 Pro Plus Active Sync Konto 1585 2021-06-01 16:30:12 updated (open) Web Mail Option to not automatically mark mails as read 4503 2021-06-01 16:31:41 updated (fixed) Web Mail SOGo webmail attachment decoding error (winmail.dat) 3281 2021-06-01 16:30:13 updated (open) Web Preferences email - auto read ( enable / disable) 5332 2021-06-01 12:12:39 updated (open) with SOGo Problem with displaying SOGo in browser (with tested temporary solution ) 5329 2021-06-01 16:31:02 acknowledged (open) Web Calendar Editing an one occurrence of a repeating event and saving it, the Description field is not displayed anymore. 5270 2021-06-01 11:29:11 resolved (fixed) Backend General SSO with Keycloak for SAML2.0 broken 5153 2021-06-01 11:29:11 resolved (fixed) Backend Mail SAML2 login mapping 5292 2021-06-01 09:37:08 resolved (fixed) Web Mail SAML auth seems to have stopped working between 5.0.1-1 and 5.1.0-1 -- users@sogo.nuhttps://inverse.ca/sogo/lists
